FTC Fining of Fertility App Premom Shows the Need to Rethink the Sharing of Personal Data with Third Parties

On May 17, 2023, the Federal Trade Commission (FTC) announced that it charged the developer of the free fertility app Premom with deceiving its users by not telling them that their sensitive personal information was being shared with third parties. Those third parties included Google and two China-based companies that the FTC says were known to have privacy problems.

Shockingly, the FTC said these unauthorized disclosures included “facts about an individual user’s sexual and reproductive health, parental and pregnancy status, as well as other information about physical health conditions and status.” And the two Chinese firms were provided Premom users’ social media account information, precise geolocation, Wi-Fi network identifiers, and mobile device identifiers — all of which can be used to identify individual users. And these third parties were not limited to how they could subsequently use this data.

Premom is not the first healthcare app to have had an FTC enforcement action. In February 2023, the FTC charged telehealth and prescription drug provider GoodRX Holdings with failing to notify its users of disclosing health data to third parties. And in March 2023, the FTC went after the mental health counseling service BetterHelp to stop it from sharing sensitive healthcare data for advertising.

Other examples include researchers in 2022 discovering that healthcare apps such as the Drugs.com Medication Guide sent data to over one hundred outside entities, including device identifiers and queried terms such as “herpes,” “HIV,” “diabetes,” and “pregnancy.”

This goes beyond mobile app vendors. Big Tech firms also collect and use our sensitive healthcare data to facilitate targeted advertising. For example, The Markup documented how Meta was found to be receiving patient information from hospital websites through its tracking tool called the Meta Pixel. Even though Meta has claimed it discards this healthcare information, my research has shown Meta had captured me searching and scheduling a Covid test on a healthcare provider site.

Other Big Tech firms, such as Google, have made assurances that they would delete users’ abortion-related searches and their location data when they visit abortion clinics. But that is not what I found. In fact, Google collected and retained a complete dossier of my abortion-related searches and location tracking of me driving and parking outside a Planned Parenthood. Moreover, additional research has corroborated that Google is still keeping some abortion-related personal data.

We have a federal healthcare privacy law — the Health Insurance Portability and Accountability (HIPAA). HIPAA has strict definitions of what entities are covered under the law, namely those that conduct certain electronic transactions, such as sending a claim to a health insurance company to request payment for medical services. This means your hospital is covered under HIPAA but not your health app on your phone, even though the app may process and store sensitive health data.

The FTC is trying to fill this gaping hole with its 2021 interpretation of the 2009 Health Breach Notification Rule. The FTC is now interpreting that the “unauthorized acquisition of unsecured individually identifiable health information” in a healthcare app constitutes a “security breach” and, therefore, a violation of this rule. Premom and GoodRx are the first two enforcement actions under this interpretation, as they gave healthcare data to third parties for advertising purposes and did not tell users they were doing so. Thus to the FTC, this constitutes a breach.

This puts app vendors on notice regarding the risky sharing of personal healthcare data. Still, the danger is that the FTC’s new interpretation of this rule may be challenged in court, much like rulemaking by the Environmental Protection Agency (EPA) and other agencies has been challenged. One pro-privacy analyst believes equating what Premom did to a security breach is a bit of a “stretch.” The FTC seems to be avoiding court challenges by giving relatively low fines (e.g., $1.5 million for GoodRx and $100,000 for the developer of Premom). Still, they risk a challenge if they pursue more significant fines. Therefore, the FTC may be boxed regarding how aggressively it can go after app vendors. And, of course, a change in administration may trigger a rollback of this interpretation.

Hopefully, the FTC’s interpretation can stand. Still, the real solution is to enhance HIPAA for today’s mobile world to cover sensitive health information collected and processed by healthcare apps and connected devices. Furthermore, sensitive health-related internet searches should also be protected. HIPAA was passed in 1996, which means it predates the iPhone and the formation of Google and Meta. So, it needs this much-needed mobile makeover.

This is even more critical because we now find ourselves in a post-Roe world where our personal health information can be subpoenaed and even weaponized against us. In a world where a reporter can purchase for $160 a week’s worth of information on where people came and went from a Planned Parenthood, it can’t come soon enough.

And hopefully, this action by the FTC will also get app providers thinking “Do I really need to share all this personal data with third parties?” i.e. is it worth the risk?